MySQL Secret Engine Config, use SSL


I am trying (and failing) to connect to a MySQL instance hosted in GCP using SSL. All of our cloud-hosted databases require SSL connections, and so far, getting Postgres integrated with Vault DB Secret Engine has been moderately straight forward; we have a copy of the client cert on the Vault instance, then reference that file location in the connection string. Doing so with MySQL, however, appears to not work, at least the way I’ve tried it. This does work if we disable requiring SSL. Additionally, I can connect locally using the cert files and username/password combination.

I get the error Error 1045: Access denied for user 'vault'@'{IP_ADDRESS}'

The IP is valid when interpolated, and I’ve verified I can hit the DB’s IP and port from that IP.

My connection string is as follows (note, we had to URL encode the query params as it complained about “/” characters: {{username}}:{{password}}@tcp({HOST}:3306)/?ssl-mode=VERIFY_CA&ssl-cert=%2fdatabase%2fssl%2fssl_client_cert&ssl-key=%2fdatabase%2fssl%2fssl_client_key&ssl-ca=%2fdatabase%2fssl%2fssl_ca

The host is correct when interpolated.

Any hints or ideas would be greatly appreciated. Thanks!

We ended up changing our approach and are using the GCP CloudSQL Proxy, which uses Google’s encryption instead. Doesn’t necessarily help if your MySQL DB requires MTLS, but it works for us.